CVE-2022-32984

Vulnerability

BTCPay Server versions 1.3.0 through 1.5.3 contain an information disclosure vulnerability in the Point of Sale (POS) component. When a POS app is publicly exposed, the HTML source code includes sensitive store information: the extended public key (xpub) of the store, and if the store uses an external lightning node, the lightning node credentials. The vulnerability was introduced in version 1.3.0 and patched in version 1.5.4 [1].

Exploitation

An attacker with network access to a publicly exposed POS app can view the HTML source code of the page. No authentication or special privileges are required. By inspecting the source, the attacker can extract the xpub and, if applicable, lightning credentials. The attack does not require user interaction or any race condition.

Impact

Successful exploitation allows the attacker to obtain sensitive information: the store's xpub (which can be used to derive addresses and monitor transactions) and, if an external lightning node is used, the lightning node credentials (which could allow unauthorized access to the lightning node). This compromises the confidentiality of the store's financial operations and may lead to further attacks.

Mitigation

The vulnerability was fixed in BTCPay Server version 1.5.4, released on May 28, 2022 [1]. Users running versions 1.3.0 through 1.5.3 should upgrade to 1.5.4 or later. There is no known workaround; the only mitigation is to update the software. The fix was also included in the release notes for version 1.6.0 urging users to upgrade.